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WHAT IS CLAIMED IS: 



1 LA method for providing secure external memory that stores instructions for 

2 a processor, comprising the steps of 

3 receiving a plurality of encrypted instructions into a buffer of the processor 

4 from the external memory; 

5 decrypting the plurality of encrypted instructions substantially 

6 simultaneously using a selected decryption algorithm to produce a plurality of decrypted 

7 instructions; and 

8 forwarding at least one decrypted instruction of the plurality of decrypted 

9 instructions to a processing area of the processor. 

1 2. The method according to claim 1, wherein the plurality of encrypted 

2 instructions comprise a plurality of consecutive encrypted instructions. 

1 3 . The method according to claim 2, wherein said step of receiving a plurality 

2 of encrypted instructions into a buffer of the processor from the external memory comprises 

3 the step of receiving the plurality of consecutive encrypted instructions from a bus having 
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4 a width equivalent to that of each consecutive encrypted instnjction of the plurality of 

5 consecutive encrypted instructions. 

1 4. The method according to claim 3, wherein the width is equal to eight (8) 

2 bits. 

1 5 . The method according to claim 1, wherein the selected decryption algorithm 

2 comprises at least one of a data encryption standard (DES), a triple DES, and an advanced 
4? 3 encryption standard (AES). 



Ft I 



1 6. The method according to claim 1, wherein said step of decrypting the 

2 plurality of encrypted instructions substantially simultaneously using a selected decryption 

3 algorithm to produce a plurality of decrypted instructions comprises the step of decrypting 

4 the plurality of encrypted instructions using at least one modified decryption key, the at least 

5 one modified decryption key being formed responsive, at least partly, to at least a portion 

6 of an address associated with at least one encrypted instruction of the plurality of encrypted 

7 instructions. 
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7. The method according to claim 6, wherein the at least one modified 
decryption key is formed further responsive, at least partly, to at least one decryption key, 
the at least one decryption key generated using at least a pseudo-random number generator. 

8. The method according to claim 1, further comprising the steps of: 
transferring the plurality of decrypted instructions to another buffer; 
delaying said step of forwarding at least one decrypted instruction of the 

plurality of decrypted instructions to a processing area of the processor until an instruction 
address requested by the processing area corresponds to an instruction address associated 
with the at least one decrypted instruction of the plurality of decrypted instructions; and 

wherein said step of forwarding at least one decrypted instruction of the 
plurality of decrypted instructions to a processing area of the processor comprises the step 
of forwarding the at least one decrypted instruction of the plurality of decrypted instructions 
to the processing area of the processor firom the another buffer when the instruction address 
requested by the processing area corresponds to the instruction address associated with the 
at least one decrypted instruction of the plurality of decrypted instructions. 
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1 9. The method according to claim 1, wherein the processing area of the 

2 processor comprises at least one of a central processing unit (CPU) and an instruction 

3 decoder. 

1 10. The method according to claim 1, flirther comprising the step of 

2 forwarding the plurality of decrypted instructions to a cache of the 

3 processor. 

1 11. The method according to claim 1 , wherein the method occurs within at least 



2 one of the following: a data switcher or router; a subscriber line interface card; a modem; 

3 a digitally-controlled machining tool; a portable radio; a wireless telephone; a voltmeter, 

4 ammeter, or ohmmeter; a personal digital assistant (PDA); a television; a cable or satellite 

5 TV set top box; a camcorder, a piece of audio/visual equipment; an audio compact disk 

6 (CD) system, player, or recorder; a digital versatile disk (DVD) system, player, or recorder; 

7 a piece of financial equipment, including at least one of a personal identification number 

8 (PIN) pad and a point of sale (POS) terminal; and a smart card. 



1 12. A system for providing security to stored information, comprising: 
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2 at least one memory, said at least one memory storing a plurality of 

3 encrypted instructions, each encrypted instruction of the plurality of encrypted instructions 

4 associated with an address; and 

5 a processor, said processor operatively coupled to said memory to retrieve 

6 the plurality of encrypted instructions therefrom; said processor including: 

7 a first buffer, the first buffer capable of receiving the plurality of 

8 encrypted instructions; 

9 a decryption unit, the decryption unit capable of receiving the 

1 0 plurality of encrypted instructions from the first buffer, the decryption unit adapted 

11 to decrypt the plurality of encrypted instructions using a decryption algorithm to 

1 2 produce a plurality of decrypted instructions; 

13 a second buffer, the second buffer capable of receiving the plurality 

14 of decrypted instructions from the decryption unit; and 

15 a processing area, the processing area capable of receiving at least 

1 6 one decrypted instruction of the plurality of decrypted instructions. 

1 13. The system according to claim 12, wherein said processor comprises a 

2 microcontroller. 
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1 14. The system according to claim 12, wherein the processing area comprises 

2 at least one of a central processing unit (CPU) and an instruction decoder. 

1 15, The system according to claim 12, wherein said processor further includes: 

2 a cache memory, the cache memory capable of receiving the plurality of 

3 decrypted instructions from the second buffer. 

1 16. The system according to claim 1 5, wherein the processing area is capable of 

2 receiving the at least one decrypted instruction of the plurality of decrypted instructions 

3 from the second buffer. 

1 1 7. The system according to claim 1 6, wherein said processor further includes: 

2 a memory controller, the memory controller capable of controlling 

3 movement of the plurality of decrypted instructions, the memory controller adapted to 

4 provide the processing area the at least one decrypted instruction from the second buffer 

5 and to provide the cache the plurality of decrypted instructions from the second buffer. 
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1 18. The system according to claim 1 7, wherein the memory controller is further 

2 adapted to provide the processing area the at least one decrypted instruction and the cache 

3 the plurality of decrypted instructions substantially simultaneously. 



1 19. The system according to claim 17, wherein said processor further includes: 

2 an address unit, the address unit capable of ascertaining a current instruction 

3 address, the address unit adapted to provide the instruction address to the memory 

4 controller; and 

5 wherein the at least one decrypted instruction is associated with an 

6 instruction address "X" and another decrypted instruction of the plurality of decrypted 

7 instructions is associated with an instruction address "X+l"; and the memory controller is 

8 further adapted to provide the processing area the another decrypted instruction from the 

9 cache when the current instruction address corresponds to the instruction address "X+1". 

1 20. The system according to claim 12, further comprising: 

2 a bus, said bus operatively coupling said at least one memory to said 

3 processor; and 

4 wherein a width of said bus is equivalent to a width of each encrypted 

5 instruction of the plurality of encrypted instructions. 
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1 21 . The system according to claim 20, wherein the width of said bus and the 

2 width of each encrypted instruction is equal to eight (8) bits. 

1 22. The system according to claim 15, wherein the cache is a two-way, set 

2 associative cache; and each block in each way of the cache is equal in length to a length of 

3 the second buffer. 

1 23. The system according to claim 12, wherein the decryption unit is further 

2 adapted to decrypt the plurality of encrypted instructions substantially simultaneously. 

1 24. The system according to claim 12, wherein the decryption algorithm 

2 comprises at least one of a data encryption standard (DES), a triple DES, and an advanced 

3 encryption standard (AES). 

1 25. The system according to claim 12, wherein the first buffer comprises a latch 

2 that is capable of receiving the plurality of encrypted instructions sequentially directly from 

3 a bus coupling said at least one memory to said processor. 
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1 26. The system according to claim 12, wherein the system comprises at least one 

2 of the following: a data switcher or router; a subscriber line interface card; a modem; a 

3 digitally-controlled machining tool; a portable radio; a wireless telephone; a voltmeter, 

4 ammeter, or ohmmeter; a personal digital assistant (PDA); a television; a cable or satellite 

5 TV set top box; a camcorder; a piece of audio/visual equipment; an audio compact disk 



6 (CD) system, player, or recorder; a digital versatile disk (DVD) system, player, or recorder; 

7 a piece of financial equipment, including at least one of a personal identification number 



8 (PIN) pad and a point of sale (POS) terminal; and a smart card. 

1 27. An arrangement for providing security to executable code stored in a 

2 memory external to a processor, the arrangement comprising: 

3 memory means, said memory means storing a plurality of consecutive 

4 encrypted instructions; 

5 means for sequentially receiving the plurality of consecutive encrypted 

6 instructions into a buffer means; 

7 means for substantially simuhaneously decrypting the plurality of 



8 consecutive encrypted instructions to create a plurality of consecutive decrypted 

9 instructions; and 
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1 0 means for distributing the plurality of consecutive decrypted instructions 

1 1 within the processor when requested by a processing entity. 

1 28. The arrangement according to claim 27, wherein said means for distributing 

2 the plurality of consecutive decrypted instructions within the processor when requested by 

3 a processing entity includes means for transferring a decrypted instruction of the plurality 

4 of consecutive decrypted instructions to the processing entity when the processing entity 

5 presents an instruction address that is associated with the decrypted instruction. 



L 1 29. The arrangement according to claim 28, further comprising: 

1^1 2 cache means, said cache means for storing decrypted instructions; and 

3 wherein said means for distributing the plurality of consecutive decrypted 

4 instructions within the processor when requested by a processing entity includes means, 

5 responsive to a processing entity request, for transferring the decrypted instruction from 

6 said cache means if the decrypted instruction is located therein upon receiving the 

7 processing request or for transferring the decrypted instruction prior to storing the 

8 decrypted instruction in said cache means if the decrypted instruction is not located therein 

9 upon receiving the processing entity request. 
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1 30. The arrangement according to claim 27, wherein the processor comprises 

2 a microcontroller. 

1 31. The arrangement according to claim 30, wherein the microcontroller is 

2 compatible with the 8-bit "805 1 " instruction set. 

1 32. The arrangement according to claim 27, wherein the arrangement comprises 

2 at least one of the following: a data switcher or router; a subscriber line interface card; a 

3 modem; a digitally-controlled machining tool; a portable radio; a wireless telephone; a 

4 voltmeter, ammeter, or ohmmeter; a personal digital assistant (PDA); a television; a cable 

5 or satellite TV set top box; a camcorder; a piece of audio/visual equipment; an audio 

6 compact disk (CD) system, player, or recorder; a digital versatile disk (DVD) system, 

7 player, or recorder; a piece of financial equipment, including at least one of a personal 

8 identification number (PIN) pad and a point of sale (POS) terminal; and a smart card. 

1 33. The system according to claim 12, wherein the decryption unit is further 

2 adapted to decrypt the plurality of encrypted instructions using a decryption key formed 

3 responsive, at least partly, to at least a portion of the address associated with at least one 

4 encrypted instruction of the plurality of encrypted instructions. 
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1 34. The system according to claim 33, wherein: 

2 the at least a portion of the address associated with at least one encrypted 

3 instruction of the plurality of encrypted instructions comprises an address value; and 

4 the decryption unit is further adapted to form the decryption key by utilizing 

5 at least one of the following operations: (i) "xor"ing the address value with the decryption 

6 key, (ii) adding the address value to the decryption key, and (iii) applying at least one of the 

7 address value and the decryption key to a non-linear operation. 

1 35. The arrangement according to claim 27, wherein said means for substantially 

2 simultaneously decrypting the plurality of consecutive encrypted instructions to create a 

3 plurality of consecutive decrypted instructions includes at least one decryption key; and 

4 wherein said arrangement further comprises: 

5 means for creating the at least one decryption key using at least a portion of 

6 an address associated with at least one encrypted instruction of the plurality of consecutive 

7 encrypted instructions. 



1 36. The arrangement according to claim 27, wherein said memory means stores 

2 a plurality of corresponding encrypted checksums; and 
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3 wherein said arrangement further comprises: 

4 means for comparing a calculated checksum to a corresponding decrypted 

5 checksum, the calculated checksum calculated from the plurality of consecutive decrypted 

6 instructions, and the corresponding decrypted checksum decrypted with the plurality of 

7 consecutive decrypted instructions from at least one corresponding encrypted checksum of 

8 the plurality of corresponding encrypted checksums. 

1 37. The arrangement according to claim 36, wherein said arrangement fiirther 

2 comprises: 

3 means for thwarting an attacker's attempts to breach security, said means 

4 for thwarting an attacker's attempts to breach security becoming active when said means 

5 for comparing a calculated checksum to a corresponding decrypted checksum determines 

6 that the calculated checksum is not equivalent to the corresponding decrypted checksum. 



1 38. An arrangement for providing information security with a processor, the 

2 arrangement comprising: 

3 an encrypted buffer, said encrypted buffer capable of accepting a plurality 

4 of encrypted units and adapted to offer the plurality of encrypted units; 
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5 


a decryptor, said decryptor capable of accepting the plurality of encrypted 




6 


units and adapted (i) to decrypt the plurality of encrypted units to produce a plurality of 




7 


decrypted units and (ii) to offer the plurality of decrypted units; 




8 


a decrypted buffer, said decrypted buffer capable of accepting the plurality 




9 


of decrypted units and adapted to offer at least one of a single decrypted-buflfer-originated 




10 


decrypted unit of the plurality of decrypted units and the plurality of decrypted units; 




11 


a cache, said cache capable of accepting the plurality of decrypted units and 


SrS ?■ 


12 


adapted to offer a single cache-originated unit of the plurality of decrypted units; 




13 


a processing area, said processing area capable of accepting a decrypted unit 




14 


of the plurality of decrypted units and adapted (i) to ascertain a program address and (ii) to 




15 


offer the program address; 




16 


a controller, said controller capable of accepting the program address and 




17 


adapted to control movement of the plurality of decrypted units; and 




18 


wherein said controller, at least partially, causes (i) said cache to offer the 




19 


single cache-originated decrypted unit to said processing area if a first address associated 




20 


with the single cache-originated decrypted unit corresponds to the program address and (ii) 




21 


said decrypted buffer to offer the single decrypted-buffer-originated decrypted unit to said 




22 


processing area and the plurality of decrypted units to said cache if a second address 
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2 3 associated with the single decrypted-buffer-originated decrypted unit corresponds to the 

2 4 program address. 

1 39. The arrangement according to claim 38, wherein the arrangement comprises 

2 at least one of the following: a data switcher or router; a subscriber line interface card; a 

3 modem; a digitally-controlled machining tool; a portable radio; a wireless telephone; a 

4 voltmeter, ammeter, or ohmmeter; a personal digital assistant (PDA); a television; a cable 

5 or satellite TV set top box; a camcorder; a piece of audio/visual equipment; an audio 

6 compact disk (CD) system, player, or recorder; a digital versatile disk (DVD) system, 

7 player, or recorder; a piece of financial equipment, including at least one of a personal 

8 identification number (PIN) pad and a point of sale (POS) terminal; and a smart card. 

1 40. The arrangement according to claim 38, wherein each unit comprises an 

2 instruction. 

1 41 . The arrangement according to claim 40, wherein each unit comprises a byte. 

1 42. The arrangement according to claim 38, wherein a first length of a block of 

2 said cache is equivalent to a second length of the plurality of decrypted units. 
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1 43. The arrangement according to claim 38, wherein said decryptor is further 

2 adapted to decrypt the plurality of encrypted units to produce a plurality of decrypted units 

3 using at least one decryption key. 



1 44. The arrangement according to claim 43, wherein the at least one decryption 

2 key is created, at least partially, responsive to at least a portion of the second address. 

1 45. The arrangement according to claim 38, wherein the plurality of encrypted 

2 units and the plurality of decrypted units each comprise eight (8) bytes. 

1 46. A method for providing enhanced security for a processor, comprising the 

2 steps of 

3 comparing a program address to at least one tag address of a cache to 

4 determine whether there is a hit; 

5 if the hit is determined, then transferring at least one information unit from 

6 the cache to a processing area; 

7 comparing the program address to an address corresponding to a decrypted 

8 buffer to determine whether there is a decrypted buffer match; 
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9 if the hit is not determined and the decrypted buffer match exists, then 

1 0 transferring another at least one information unit from the decrypted buffer to the processing 

1 1 area and transferring a plurality of information units from the decrypted buffer to the cache; 

1 2 comparing the program address to an address corresponding to a decryption 

1 3 unit to determine whether there is a decryption unit match; 

14 if the hit is not determined and the decrypted buffer match does not exist and 

1 5 the decryption unit match does exist, then decrypting another plurality of information units 

16 in the decryption unit and thereafter transferring the another plurality of information units 

1 7 from the decryption unit to the decrypted buffer and transferring yet another at least one 

1 8 information unit from the decrypted buffer to the processing area and transferring the 

1 9 another plurality of information units from the decrypted buffer to the cache. 

1 47. The method according to claim 46, further comprising the steps of 

2 comparing the program address to an address corresponding to an encrypted 

3 buffer to determine whether there is an encrypted buffer match; 

4 if the hit is not determined and the decrypted buffer match does not exist and 

5 the decryption unit match does not exist and the encrypted buffer match does exist, then 

6 transferring yet another plurality of information units from the encrypted buffer to the 

7 decryption unit and decrypting the yet another plurality of information units in the 
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decryption unit and thereafter transferring the yet another plurality of information units fronni 
the decryption unit to the decrypted buffer and transferring still yet another at least one 
information unit from the decrypted buffer to the processing area and transferring the yet 
another plurality of information units from the decrypted buffer to the cache. 

48. The method according to claim 46, wherein the method occurs within at 
least one of the following: a data switcher or router; a subscriber line interface card; a 
modem; a digitally-controlled machining tool; a portable radio; a wireless telephone; a 
voltmeter, ammeter, or ohmmeter; a personal digital assistant (PDA); a television; a cable 
or satellite TV set top box; a camcorder; a piece of audio/visual equipment; an audio 
compact disk (CD) system, player, or recorder; a digital versatile disk (DVD) system, 
player, or recorder; a piece of financial equipment, including at least one of a personal 
identification number (PEN) pad and a point of sale (POS) terminal; and a smart card. 

49. The arrangement according to claim 27, wherein said memory means stores 
a plurality of corresponding checksums; and 

wherein said arrangement further comprises: 

means for comparing a calculated checksum to a corresponding checksum 
of the plurality of checksums, the calculated checksum calculated from the plurality of 
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6 consecutive decrypted instructions, and the corresponding checksum is retrieved from said 

7 memory means in which it is stored clear and unencrypted. 

1 50. A method for providing enhanced security for a processor, comprising the 

2 steps of 

3 ascertaining a program counter; 

4 determining whether an instruction associated with an address that 

PI 5 corresponds to the program counter is in a cache, a decrypted buffer, a decryption unit, or 

RJ 

£ 6 an encrypted buffer; 

7 if so, forwarding the instruction; 

ff 8 if not, 

I 9 retrieving a phiraUty of encrypted instructions from an external 

1 0 memory and loading the plurality of encrypted instructions into the encrypted buffer, 

1 1 the plurality of encrypted instructions including the instruction in an encrypted 

12 format; 

1 3 forwarding the plurality of encrypted instructions from the encrypted 

1 4 buffer to the decryption unit; 
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1 5 decrypted the plurality of encrypted instructions in the decryption 

1 6 unit to produce a plurality of decrypted instructions, the plurality of decrypted 

1 7 instructions including the instruction in an unencrypted format; 

18 forwarding the plurality of decrypted instructions from the 

1 9 decryption unit to the decrypted buffer; and 

2 0 forwarding the instruction from the decrypted buffer for further 

21 processing. 

1 5 L The method according to claim 50, further comprising the step of: 

2 forwarding the plurality of decrypted instructions from the decrypted 

3 buffer to the cache approximately during effectuation of said step of forwarding the 

4 instruction from the decrypted buffer for further processing. 
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